Monday, August 07, 2006

Nortel VPN in linux

for using nortel VPN in linux laptop, tried hundred of sites but failed.

So I have decided that installing VMware is best solution.

Becuase disk space is not enough in my toshiba 5100, windows 98 SE was chosen for guest OS.

And installed a nortel extranet 2.56, installing looks fine but failed with error.


Error message saying " Your IPsec tunneling have some problem."

to enable IPsec on Vmware NAT another hundreds of searching was done.
Of cource it was ended with fail.

So I decide to find a VPN client for linux.
Because I don't have Nortel's VPN Client - provided with VPN switch-, have to find a freeware.

First I found "pptp"
apt-get install pptp

to configure this, also installed "pptpconfig"
add following on /etc/apt/sources.list

# James Cameron's PPTP GUI packaging deb http://quozl.netrek.org/pptp/pptpconfig ./
apt-get install pptpconfig

and, start the 'pptpconfig' and add the host.

failed again.








And Found anotheroption, OpenSwan(www.openswan.org) will make a ipsec tunneling in linux.

apt-get install openswan.

it's installed greatly and ipsec command runs fine.
but I didn't find a way to connect VPN.

So have decided to install a cisco vpn client which use a same ipsec protocol.

followings are from http://www.mcmaster.ca/uts/network/vpn/vpnclient_linux.htm

Below is a quick installation and configuration guide for the Linux Cisco VPN client. For more in depth instructions, please refer to the Cisco documentation linked below.

Before you Begin...
  • This software and guide is unsupported by University Technology Services. This means that the installation and software has been tested by UTS, but no telephone support is available.
  • The VPN client consists of a kernel module and a few command-line executables.
    • The kernel module is not pre-compiled, so you may need to make sure that kernel sources for each kernel version that you are intending to use with this client are properly installed.
    • To do this, find either the kernel source or header RPM from your installation cdroms. The most likely location is one of the RPMxx directories on one of the installation CD's. On Mandrake 9.2, it's called kernel-source-2.4.22-10mdk.i586.rpm, on Redhat 9.0 it's called kernel-source-2.4.20-8.i386.rpm. The kernel revision numbers change but you get the idea. Older versions of Linux may have just the kernel-header RPM.
    • Install the RPM (rpm -i kernel-source-xxxxxx.rpm)
    • The module is not Open Source Software, so after it's loaded into your Linux kernel, the kernel will become tainted, and will issue a warning.
  • After successfully establishing a secure connection to the server, the client will listen for packets from the VPN server on 2 ports,UDP 500 and UDP 4500, by default. This means you have to punch a hole in your ipchains/iptables firewall for it. The module will also use IP protocol 50 (ESP) to communicate with the VPN server. That protocol is not filtered by most Linux firewall configurations, however.
  • The CISCO documentation mentions several other ports, quoting:
    • UDP port 500
    • UDP port 10000 and 500 (or any other port number being used for IPSec/UDP)
    • IP protocol 50 (ESP)
    • NAT-T port 4500 UDP
    Allow these ports through your firewall if you don't want any surprises.
  • On our test systems, it appears that the VPN client will not work, when the operating system is running in "Security Enhanced" mode (SELinux). We suggest that you not run the system in this mode, if you plan on using the vpn client. To do this, cd to the /etc/selinux folder ... then edit the config file as follows (change "enforcing" to "disabled"). In this example, it's simply been commented out:
    [root@linuxbox selinux]# more config
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    # enforcing - SELinux security policy is enforced.
    # permissive - SELinux prints warnings instead of enforcing.
    # disabled - SELinux is fully disabled.
    #SELINUX=enforcing
    SELINUX=disabled
    # SELINUXTYPE= type of policy in use. Possible values are:
    # targeted - Only targeted network daemons are protected.
    # strict - Full SELinux protection.
    SELINUXTYPE=targeted
    [root@linuxbox selinux]#
  • Installation and Configuration Commands, Step by Step

    Below are step by step quick-start instructions. Be sure to connect to your ISP before starting.
    This client has been tested on systems running Fedora Core 4.
    [root@linuxbox ~]# uname -a Linux linuxbox.whatever.mcmaster.ca 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux

    • Become super user (root):
    • [user@vpnclient]$ su -
      Password: {root's password}

      [root@vpnclient root]#
    • Change directory to /usr/src:
    • [root@vpnclient root]# cd /usr/src
    • Download the tar ball from the University web site:
    • [root@localhost root]# wget http://www.mcmaster.ca//uts/network/software/vpnclient4.8.tar.gz
      --09:59:22-- http://www.mcmaster.ca//uts/network/software/vpnclient4.8.tar.gz => `vpnclient4.8.tar.gz'
      Resolving www.mcmaster.ca... 130.113.64.65
      Connecting to www.mcmaster.ca[130.113.64.65]:80... connected.
      HTTP request sent, awaiting response... 200 OK
      Length: 2,050,187 (2.0M) [application/x-tar]

      100%[===============================================>] 2,050,187 10.02M/s 09:59:22 (10.02 MB/s) - `vpnclient4.8.tar.gz' saved [2050187/2050187]

      Length: 2,811,577 [application/x-tar]

      100%[====================================>] 2,811,577 9.31M/s 10:55:29 (9.31 MB/s) - `vpnclient-linux4.7.tar.gz' saved [2,811,577/2,811,577]
    • Decompress and extract it:
    • [root@vpnclient src]# tar xzvf vpnclient4.8.tar.gz

      vpnclient/
      vpnclient/linux_os.h
      vpnclient/IPSecDrvOS_linux.c
      vpnclient/mtu.h
      vpnclient/linuxkernelapi.c
      vpnclient/vpnapi.h
      vpnclient/libdriver64.so
      vpnclient/license.txt
      vpnclient/sample.pcf
      vpnclient/cvpnd
      vpnclient/interceptor.c
      vpnclient/unixcniapi.h
      vpnclient/MacConnect.pcf
      vpnclient/Makefile
      vpnclient/GenDefs.h
      vpnclient/libdriver.so
      vpnclient/config.h
      vpnclient/vpn_uninstall
      vpnclient/McMasterVPN.pcf
      vpnclient/vpnclient_init
      vpnclient/IPSecDrvOS_linux.h
      vpnclient/cisco_cert_mgr
      vpnclient/Cniapi.h
      vpnclient/vpnclient
      vpnclient/libvpnapi.so
      vpnclient/unixkernelapi.h
      vpnclient/ipseclog
      vpnclient/IPSecDrvOSFunctions.h
      vpnclient/linuxcniapi.c
      vpnclient/license.rtf
      vpnclient/vpn_install
      vpnclient/driver_build.sh
      vpnclient/vpnclient.ini
      vpnclient/frag.c
      vpnclient/linuxcniapi.h
      vpnclient/frag.h
      vpnclient/vpn_ioctl_linux.h
    • Change directory to /usr/src/vpnclient:
    • [root@vpnclient src]# cd vpnclient
    • Execute the installer script and answer the prompts:
    • [root@localhost vpnclient]# ./vpn_install
      Cisco Systems VPN Client Version 4.8.00 (0490) Linux Installer
      Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
      By installing this product you agree that you have read the
      license.txt file (The VPN Client license) and will comply with
      its terms.

      Directory where binaries will be installed [/usr/local/bin]

      Automatically start the VPN service at boot time [yes]


      In order to build the VPN kernel module, you must have the
      kernel headers for the version of the kernel you are running.
      Directory containing linux kernel source code [/lib/modules/2.6.16-1.2111_FC4/build]
      * Binaries will be installed in "/usr/local/bin".
      * Modules will be installed in "/lib/modules/2.6.16-1.2111_FC4/CiscoVPN".
      * The VPN service will be started AUTOMATICALLY at boot time.
      * Kernel source from "/lib/modules/2.6.16-1.2111_FC4/build" will be used to build the module.

      Is the above correct [y] y

      Making module
      make -C /lib/modules/2.6.16-1.2111_FC4/build SUBDIRS=/usr/src/vpnclient modules
      make[1]: Entering directory `/usr/src/kernels/2.6.16-1.2111_FC4-i686'
      CC [M] /usr/src/vpnclient/linuxcniapi.o
      CC [M] /usr/src/vpnclient/frag.o
      CC [M] /usr/src/vpnclient/IPSecDrvOS_linux.o
      CC [M] /usr/src/vpnclient/interceptor.o
      /usr/src/vpnclient/interceptor.c: In function ‘handle_vpnup’:
      /usr/src/vpnclient/interceptor.c:310: warning: assignment from incompatible pointer type
      /usr/src/vpnclient/interceptor.c:334: warning: assignment from incompatible pointer type
      /usr/src/vpnclient/interceptor.c:335: warning: assignment from incompatible pointer type
      /usr/src/vpnclient/interceptor.c: In function ‘do_cleanup’:
      /usr/src/vpnclient/interceptor.c:378: warning: assignment from incompatible pointer type
      CC [M] /usr/src/vpnclient/linuxkernelapi.o
      LD [M] /usr/src/vpnclient/cisco_ipsec.o
      Building modules, stage 2.
      MODPOST
      Warning: could not find /usr/src/vpnclient/.libdriver.so.cmd for /usr/src/vpnclient/libdriver.so
      CC /usr/src/vpnclient/cisco_ipsec.mod.o
      LD [M] /usr/src/vpnclient/cisco_ipsec.ko
      make[1]: Leaving directory `/usr/src/kernels/2.6.16-1.2111_FC4-i686'
      Create module directory "/lib/modules/2.6.16-1.2111_FC4/CiscoVPN".
      Copying module to directory "/lib/modules/2.6.16-1.2111_FC4/CiscoVPN".
      Already have group 'bin'

      Creating start/stop script "/etc/init.d/vpnclient_init".
      /etc/init.d/vpnclient_init
      Enabling start/stop script for run level 3,4 and 5.
      Creating global config /etc/opt/cisco-vpnclient

      Installing license.txt (VPN Client license) in "/opt/cisco-vpnclient/":

      Installing bundled user profiles in "/etc/opt/cisco-vpnclient/Profiles/":
      * New Profiles : MacConnect McMasterVPN sample

      Copying binaries to directory "/opt/cisco-vpnclient/bin".
      Adding symlinks to "/usr/local/bin".
      /opt/cisco-vpnclient/bin/vpnclient
      /opt/cisco-vpnclient/bin/cisco_cert_mgr
      /opt/cisco-vpnclient/bin/ipseclog
      Copying setuid binaries to directory "/opt/cisco-vpnclient/bin".
      /opt/cisco-vpnclient/bin/cvpnd
      Copying libraries to directory "/opt/cisco-vpnclient/lib".
      /opt/cisco-vpnclient/lib/libvpnapi.so
      Copying header files to directory "/opt/cisco-vpnclient/include".
      /opt/cisco-vpnclient/include/vpnapi.h

      Setting permissions.
      /opt/cisco-vpnclient/bin/cvpnd (setuid root)
      /opt/cisco-vpnclient (group bin readable)
      /etc/opt/cisco-vpnclient (group bin readable)
      /etc/opt/cisco-vpnclient/Profiles (group bin readable)
      /etc/opt/cisco-vpnclient/Certificates (group bin readable)
      * You may wish to change these permissions to restrict access to root.
      * You must run "/etc/init.d/vpnclient_init start" before using the client.
      * This script will be run AUTOMATICALLY every time you reboot your computer.

    • Load the VPN client's module into the running kernel:

    • [root@localhost vpnclient]# /etc/init.d/vpnclient_init start
      Starting /opt/cisco-vpnclient/bin/vpnclient: Done


    • At this point, we recommend that you restart the operating system ... otherwise, you may get the following message, when invoking the vpnclient: vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied

    • McMaster VPN requires a profile to connect. Two are provided, one for off campus users (McMasterVPN) and one for on campus MacConnect users (MacConnect).
    • The profiles are already installed in /etc/CiscoSystemsVPNClient/Profiles/:
    • To connect, enter your user name and password when prompted:

    • [root@localhost Profiles]# vpnclient connect MacConnect {or McMasterVPN for off Campus (Access from home)}
      Cisco Systems VPN Client Version 4.8.00 (0490)
      Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
      Client Type(s): Linux
      Running on: Linux 2.6.16-1.2111_FC4 #1 Sat May 20 19:59:40 EDT 2006 i686
      Config file directory:

      Initializing the VPN connection.
      Contacting the gateway at 130.113.69.8
      User Authentication for MacConnect...

      Enter Username and Password.

      Username []: (your username)
      Password []: ***************
      Authenticating user.
      Negotiating security policies.
      Securing communication channel.

      For McMaster Authorized Use Only!

      Please ensure you have the latest security patches and anti-virus software applied. Virus-infected
      computers will be disconnected without notice.

      Idle sessions are disconnected after 30 minutes of inactivity.

      All sessions are disconnected after 3 hours of continuous use.

      For assistance, please contact the Technology Service Desk at (905)-525-9140 Ext. 24357.
      Do you wish to continue? (y/n): y

      Your VPN connection is secure.

      VPN tunnel information.
      Client address: 130.113.94.113
      Server address: 130.113.69.8
      Encryption: 168-bit 3-DES
      Authentication: HMAC-MD5
      IP Compression: None
      NAT passthrough is inactive
      Local LAN Access is disabled

    • Note: If you open up another terminal window, and type "ifconfig" you should see - as well as the settings for your network interface, eth0 - another interface listed: "cipsec0" - this is the vpnclient interface. Its IP Address will be listed as well.
    • You should now be connected to the McMaster network. If the connection fails, suspect your firewall first. Try disabling it completely then try the connection again! If the firewall interferes with the VPN, you will need to adjust its configuration.

    Un-installing the Client

    • Use the vpn_uninstall script that comes with the client (/usr/src/vpnclient/vpn_uninstall in our example) to remove the client.

I changed /etc/opt/cisco-vpnclient/Profiles/sample.cnf to kai.pcf :

[main]
Description=KAIExtranetClient
Host=210.118.#.#
AuthType=3 <=== change for non-group authentification


and

root@satellite:~ # vpnclient connect kai
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.15-26-686 #1 SMP PREEMPT Thu Aug 3 03:13:28 UTC 2006 i686
Config file directory: /etc/opt/cisco-vpnclient

Enter Certificate password: *****
Initializing the VPN connection.
Secure VPN Connection terminated locally by the Client
Reason: Failed to establish a VPN connection.
There are no new notification messages at this time.

Failed again.

so, Tried again on Openswan (IPsec)

root@satellite:~ # cat /etc/ipsec.conf
config setup
interfaces="ipsec0=eth0"
forwardcontrol=no
klipsdebug=none
plutodebug=none
manualstart=
# plutoload=%search
# plutostart=%search
# plutowait=no
conn kai
type=tunnel
auto=start
auth=esp
authby=secret
keyexchange=ike
keylife=1h
keyingtries=1
pfs=yes
left=192.168.209.130
leftnexthop=192.168.209.1
leftsubnet=192.168.209.0/24
right=210.118.#.#
rightsubnet=210.118.#.0/24






root@satellite:~ # cat /etc/ipsec.secrets
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA /etc/ipsec.d/private/satelliteKey.pem
192.168.209.130 210.118.126.201 ""



root@satellite:~ # ipsec setup start
ipsec_setup: Starting Openswan IPsec 2.4.4...
ipsec_setup: insmod /lib/modules/2.6.15-26-686/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.15-26-686/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.15-26-686/kernel/net/xfrm/xfrm_user.ko





root@satellite:~ # ipsec look
satellite Tue Aug 8 15:45:43 CDT 2006
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.209.1 0.0.0.0 UG 0 0 0 eth0
192.168.209.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
210.118.126.0 192.168.209.1 255.255.255.0 UG 0 0 0 eth0


Failed again !!!!


** note that ipsec port 500 is used by another program.

root@satellite:~ # lsof -i:500
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
vmnet-nat 4548 root 6u IPv4 11693 TCP *:isakmp (LISTEN)
vmnet-nat 4548 root 7u IPv4 11694 UDP *:isakmp

in this case, you should close the vmware nat.



root@satellite:/etc/vmware/vmnet8/nat # /etc/init.d/vmware stop
Stopping VMware services:
Virtual machine monitor done
Bridged networking on /dev/vmnet0 done
DHCP server on /dev/vmnet1 done
Host-only networking on /dev/vmnet1 done
DHCP server on /dev/vmnet8 done
NAT service on /dev/vmnet8 done
Host-only networking on /dev/vmnet8 done
Virtual ethernet done

No comments: